I must admit I haven’t gone through all the blogposts and haven’t thoroughly googled this so I apologise in advance. My question is if someone has gained access to my computer (not physically) but through a hack/trojan/whatever and my browser is logged in to lastpass wouldn’t this attacker be able to access my profiles/secure notes the same way I do (I just activated re-prompt for master password while thinking of it) or get a screen capture when I’m looking at them? And now that I’ve activated re-prompting for master keyword I will be typing it a lot making life easier for a keylogger, it does not re-prompt me to use my google authenticator. An On screen keyboard is an option I guess and a yubikey for good measure. Well those are my concerns, would be great your input on this old thread, sry.

Thanks for reaching out. Multifactor authentication like the Google Authenticator and the YubiKey help because even if a screencapture software or keylogger captures your master password, they can’t login to your LastPass on another machine without also having your multifactor authentication. I’m not aware of any hacks that allow malware to just take over LastPass in the browser. You can also set up the autologoff options in the LastPass Icon > Preferences menu so that your session times out and no one can sit down at your computer and just start browsing to your web logins.

1) Allow me to delete some of them from here, or pull up the exact same view in the vault (either is fine. A checkbox for deletion would Be A Real Good Thing, which can then xfer info back into the vault, if better from a security point of view)

Why: I have 58 on this list almost all of which qualify as garbage. I have no idea where they came from (though i can often guess which site they are *supposed* to connect to), but they are not valid entries. I can probably do this via the “vault”, but the password being zero and “all these have the same password” is a useful context to spot the bad sites.

2) Allow one to mark sites as “low security” so they don’t factor into the “duplicate” rating. You have to log into almost ANYTHING to post a comment. I have a small number of pswds I use for these. I really don’t CARE about security here. I am not overly worried somehow with the idea of someone somehow, magically, getting the pswd from my one-time comment post on “JrandomBlog” and connecting that (again, magically) to my three-time comment postings on “Heretherebeblog”. Why would I care? Someone posting up “fake” comments “from me”? Why would I care, there’s a huge chance I’ll never ever visit either of those blogs ever again.

Why: about 270 of these irrelevancies or close-thereofs.

3) Allow me to identify some sites as “medium security” if they are the same site, with different logins. the obvious example of this is about four “spam” e-mail accounts associated with yahoo. i use them whenever i am forced to enter an e-mail address to register and gain full use of a site, but they aren’t used in any “official” manner and i could live if someone hacked them. So the fact that all four share the same pswd is of no significance. I don’t use the “low security pswd”, but hacking one and somehow connecting it to the others is both not a big likelihood and next to no major significance. they aren’t “me”.

Why: probably about 5-15 of these accounts sharing 2-3 pswds.

4) Allow me to make items in the group for changing next time i access — and when i do, have last pass pop up a reminder for me to change the pswd until i actually do it or tell it to “go away.”

Why: it would make the securitization process more flexible to match my own time-usage of the sites.

With these changes, i could get a real idea of my security state in terms of what *I* consider needing protection, as well as implementing that protection.

When adding a site, Last Pass often grabs the full URL which is then useless. Could this be truncated so it’s just the domain value (i.e. google.com instead of google.com/login?8329083nsd) by default? Issue is that the full value is often wrong and won’t work with your autologin feature, but if you know to truncate the entry to just the domain the LastPass autologin always works.

Often when I log into LastPass I immediately launch a number of web sites – if one of those has “Require Password Reprompt” set I have to re-type my master password even though I typed it mere seconds earlier.

It would be awesome if LastPass could either:

(a) Have the “Do not reprompt for (x hours)” option appear on the initial login screen.

(b) Somehow detect that I typed my master password only a few seconds earlier and not bother me to re-type it (a very small window eg 10 seconds would be sufficient).

Thanks!

Search

What is LastPass?

LastPass simplifies your online life by remembering your passwords for you. With LastPass to manage your logins, it's easy to have a strong, unique password for every online account and improve your online security. Get started today - it's free.

Subscribe

Archives

Translation

What is LastPass?

LastPass simplifies your online life by remembering your passwords for you. With LastPass to manage your logins, it's easy to have a strong, unique password for every online account and improve your online security. Get started today - it's free.